Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

BIND versio security threat

Discussion in 'Bind/DNS/Nameserver' started by matins007, May 16, 2009.

  1. matins007

    matins007 Member

    Joined:
    Jan 15, 2009
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    51
    Hi,

    My website is scan on a regular basis for PCI compliance. It was all working fine for the last few monh but yesterday they found something new.

    >>>>
    BIND EVP_VerifyFinal() / DSA_do_verify() Return Checks Risk Port/Protocol ID

    Synopsis:
    The remote name server is affected by a signature validation weakness.

    Solution:
    Upgrade to BIND 9.3.6-P1 / 9.4.3-P1 / 9.5.1-P1 / 9.6.0-P1 or later.

    Description:
    According to its version number, the remote installation of BIND does
    not properly check the return value from the OpenSSL library functions
    'EVP_VerifyFinal()' and 'DSA_do_verify()'. A remote attacker may be
    able to exploit this weakness to spoof answers returned from zones for
    signature checks on DSA and ECDSA keys used with SSL / TLS.
    >>>>

    My Update Config setting is set to Automatic (CURRENT tree). I even did a manual update but my versionis still BIND 9.3.4.

    Is there another solution then upgrading this b hand in SSH. Are they just freaking out for nothing?

    Thanks for your help on this.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    It's probably a false-positive due to back-porting by the OS provider. What OS are you running? If you're running bind v9.3.4 my guess is that it's CentOS v5.3 or RHEL v5.3 (i.e. bind-9.3.4-10.P1.el5), if so, and you have your OS up to date, then it's likely a false-positive.

    One good measure with bind is not to announce its version number. You can prevent this by editing /etc/named.conf (or /var/named/chroot/etc/named.conf if you run bind-chroot) and in the options {} section set:

    version "not currently available";

    Then restart named.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice